This Blog is intended to collect information of my various Intrests,pen my opinion on the information gathered and not intended to educate any one of the information posted,but are most welcome to share there view on them

Tuesday, January 17, 2012

Linux IPTables: Incoming and Outgoing Rule Examples (SSH and HTTP)

In our previous IPTables firewall series article, we reviewed how to add firewall ruleusing “iptables -A”.

We also explained how to allow incoming SSH connection. On a high-level, it involves following 3 steps.

The above works. But it is not complete. One problem with the above steps is that it doesn’t restrict the outgoing packets.

Default Chain Policy

The default policy of a chain is ACCEPT. If you don’t what what a chain means, you better read our iptables introduction article. So, both the INPUT and OUTPUT chain’s default policy is ACCEPT. In the above 3 steps we dropped all incoming packets at the end (except incoming ssh). However, we didn’t restrict the outgoing traffic.

As you notice below, it says “(policy ACCEPT)” next to all the three chain names (INPUT, OUTPUT, and FORWARD). This indicates that the default chain policy is ACCEPT.

Option 1: Add drop rules

At the end, add the following three drop rules that will drop all incoming, outgoing, and forward packets (except those that are defined above these three rules). If you do this, the default chain policy is still ACCEPT, which shouldn’t matter, as you are dropping all the packets at the end anyway.

iptables -A INPUT: Append the new rule to the INPUT chain. For incoming connection request, this always has to be INPUT.

-i eth0: This refers to the input interface. For incoming connections, this always has to be ‘-i’.

-p tcp: Indicates that this is for TCP protocol.

–dport 22: This refers to the destination port for the incoming connection. Port 22 is for ssh.

-m state: This indicates that the “state” matching module is used. We’ll discuss more about “-m” option (and all available matching modules for iptables) in future article.

–state NEW, ESTABLISHED: Options for the “state” matching module. In this example, only NEW and ESTABLISHED states are allowed. The 1st time when a SSH connection request is initiated from the client to the server, NEW state is used. ESTABLISHED state is used for all further request from the client to the server.

iptables -A OUTPUT: Append the new rule to the OUTPUT chain. Since this is for the response rule (for the corresponding incoming request) that goes out from the server, this should be OUTPUT.

-o eth0: This refers the output interface. For outgoing connections, this always has to be ‘-o’.

-p tcp: Indicates that this is for TCP protocol.

–sport 22: This refers to the source port for the outgoing connection. Port 22 is for ssh. Since the incoming request (from the previous rule) came to the “destination” port, the outgoing response will go through the “source” port.

-m state: This indicates that the “state” matching module is used.

–state ESTABLISHED: Since this is a response rule, we allow only ESTABLISHED connection (and not any NEW connection).

Example 2: Allow incoming HTTP connection

This is to allow HTTP connection from outside to your server. i.e You can view your website running on the server from outside.

Just like the above SSH incoming rules, this also involves two steps. First, we need to allow incoming new HTTP connection. Once the incoming HTTP connection is allowed, we need to allow the response back for that incoming HTTP connection.

iptables -A OUTPUT: Append the new rule to the OUTPUT chain. For outgoing connection request, this always has to be OUTPUT.

-o eth0: This refers the output interface. For outgoing connections, this always has to be ‘-o’.

-p tcp: Indicates that this is for TCP protocol.

–dport 22: This refers to the destination port for the outgoing connection.

-m state: This indicates that “state” matching module is used.

–state NEW, ESTABLISHED: Options for the “state” matching module. In this example, only NEW and ESTABLISHED states are allowed. The 1st time when a SSH connection request is initiated from the server to the outside, NEW state is used. ESTABLISHED state is used for all further request from the server to the outside.

iptables -A INPUT: Append the new rule to the INPUT chain. Since this is for the response rule (for the corresponding outgoing request) that comes from the outside to the server, this should be INPUT.

-i eth0: This refers the input interface. For incoming connections, this always has to be ‘-i’.

-p tcp: Indicates that this is for TCP protocol.

–sport 22: This refers to the source port for the incoming connection. Since the outgoing request (from the previous rule) went to the “destination” port, the incoming response will come from the “source” port.

-m state: This indicates that the “state” matching module is used.

–state ESTABLISHED: Since this is a response rule, we allow only ESTABLISHED connection (and not any NEW connection).

About Me

Hi This is Suresh Kumar Pakalapati . I am a person who is positive about every aspect of life. There are many things I like to do, to see, and to experience. I like to feel the music flowing on my face, I like good books and romantic, action,cartoon movies. I like the land and the nature, And, I like to keep smile on my face. I always wanted to be a great and successful person in the world and I know it is needed More and More education, More work, Success Never come in a short Time.....